exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Lansweeper 7.2 Default Account / Remote Code Execution

Lansweeper 7.2 Default Account / Remote Code Execution
Posted Jun 23, 2020
Authored by Amel Bouziane-Leblond

Lansweeper version 7.2 has a default admin account enabled which allows for remote code execution.

tags | exploit, remote, code execution
advisories | CVE-2020-14011
SHA-256 | 2073135423a87b7e2be3d1d7241576c43e03f2b3a632fa7737f4c3ae63e5d661

Lansweeper 7.2 Default Account / Remote Code Execution

Change Mirror Download
# Exploit Title: Lansweeper 7.2 - Incorrect Access Control
# SHODAN DORK : title:"Lansweeper - Login"
# Date: 2020-06-14
# Exploit Author: Amel BOUZIANE-LEBLOND
# Vendor Homepage: https://www.lansweeper.com/
# Software Link: https://www.lansweeper.com
# Version: 6.0.x through 7.2.x
# Tested on: Windows
# CVE : CVE-2020-14011

### Title:
Incorrect Access Control.

### Category:
Exploit

### Severity:
Critical

### Description:
Lansweeper 6.0.x through 7.2.x has a default installation in which the
admin password is configured for the admin account, unless "Built-in
admin" is manually unchecked. This allows command execution via the
Add New Package and Scheduled Deployments features.

### Other observation:
Hi, This issue is kind of critical,
By using shodan with this filter title:"Lansweeper - Login"
We will find some Lansweeper with default installation on it


### Details:
The Lansweeper application is agentless network inventory software that can be used for IT asset management.
It uses the ASP.NET technology on its web application.

### Analysis:
When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time,
you are presented with a First Run Wizard,
which allows you to set up scanning and configure some basic options.
Any subsequent times you access the console,
you are presented with a login screen.
By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button.

### Suggested mitigation:
restrict access to the console and configure what users can see or do once they've been granted access.
You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts.
A user's role determines what the user can see or do within the console..

### Impact/Risk:
Remote code execution
can expose the organization to unauthorized access of data and programs, fraud.

--
Amel BOUZIANE-LEBLOND
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close